[Info-vax] 'Kill tool' released for unpatched Apache server vulnerability

[Martin Vorlaender]

Rich Jordan <jordan at ccs4vms.com> wrote:
> John Nebel <john.ne... at csdco.com> wrote:
>> As <http://labs.hoffmanlabs.com/node/1767> indicates, even with
>> mod_deflate shut off, the exploit will affect OpenVMS.
>>
>> [root at arethusa ~]# ./kill_apache.plwww.whatever.com
>> host seems vuln
>> ATTACKING whatever [using 500 forks]
>>
>> If one adds these to httpd.conf
>>
>> LoadModule headers_module       modules/mod_headers.exe
>> RequestHeader unset Range
>>
>> [root at arethusa ~]# ./kill_apache.plwww.whatever.com
>> Host does not seem vulnerable
>>
>> SWS 2.2 update 1 and 2.1-1 update 2
>
> The links referenced by Hoff's entry on this point out that just
> removing the Range header can block legitimate clients and requests.
> They provide a variant that llows up to 5 ranges but it doesn't work
> on my test system, and according to the Apache docs, it can't actually
> work:
>
> Test box: OpenVMS Alpha V8.3, TCPIP V5.6 ECO 5, CSWS V2.1-1 Update 1.0
>
> # drop Range header when more than 5 ranges.
> # CVE-2011-3192
> SetEnvIf Range (,.*?){5,} bad-range=1
> RequestHeader unset Range env=bad-range
>
> With this in my virtual container definition I get the error:
>
> "header unset takes two arguments"
[...]

The workaround I use (but haven't tested yet) is

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]
RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
RewriteRule .* - [F]

and

RewriteOptions inherit

for any virtual hosts (in case the rewrite rule is placed in
the global part of the config).

cf. http://seclists.org/fulldisclosure/2011/Aug/241

cu,
   Martin
-- 
One OS to rule them all       | Martin Vorlaender  |  OpenVMS rules!
One OS to find them           | work: mv at pdv-systeme.de
One OS to bring them all      |   http://vms.pdv-systeme.de/users/martinv/
And in the Darkness bind them.| home: martin.vorlaender at t-online.de